OT/ICS VAPT services in Indonesia: SCADA, DCS, and PLC security assessment

Industrial control systems operate under a different set of priorities than IT. Uptime comes first, and that means OT networks often grow for years without a security review. PLCs installed a decade ago still run on default credentials. Flat networks connect the production floor directly to the corporate office. Vendor remote access comes in through undocumented cellular modems. None of this is negligence — it is the natural result of operational priorities — but the risk it creates is real and measurable.

Alpha Code conducts OT/ICS security assessments using a methodology built for industrial environments: no active scanning, no production interruption, and findings mapped to IEC 62443 so both engineering teams and management can act on the results.

What the assessment covers

The assessment spans every layer of the industrial system, from field devices up to the connection point with the corporate IT network.

Industrial protocol traffic analysis covers Modbus, DNP3, OPC-UA, Profinet, and EtherNet/IP. Each protocol carries different security implications. Modbus, by design, has no authentication mechanism at all. Anyone who can reach the device on the network can send commands to it.

Methodology: passive first, analytical throughout

We do not begin with active scanning. Industrial environments are not built to handle unexpected probe traffic, and a single misrouted packet can be enough to cause a device to stop responding.

The first phase runs one to two weeks because we need to observe a complete operational cycle: shift handovers, batch cycles, and idle periods. Traffic visible during normal production hours can look very different from what happens overnight or on weekends.

Configuration review is performed from backup files or configuration dumps taken manually by the client's engineering team, not from a live connection to active devices. This gives us an accurate picture of device configuration without touching anything in production.

Common findings in Indonesian industrial environments

Based on assessments across local industrial sectors, the same patterns appear in nearly every organization that has not previously undergone an OT security review.

Most Indonesian industrial operators we assess for the first time sit at Security Level 0 or SL 1 under the IEC 62443 framework. SL 1 means the system is protected against casual or unintentional exposure, but not against deliberate attack. Achieving a real SL 1, not just on paper, closes the majority of commonly exploited attack vectors.

Regulatory context in Indonesia

Perpres 82/2022 defines 11 national critical infrastructure sectors: energy, water, transport, telecommunications, finance, food, health, government, defense, maritime, and industry. Operators in these sectors carry a higher security obligation, including for OT systems that control physical processes.

BSSN (Badan Siber dan Sandi Negara), Indonesia's national cybersecurity agency, has published ICS/SCADA security guidelines as the national reference framework. Our assessment reports map findings to both BSSN guidance and IEC 62443 simultaneously, so the output can be used directly to satisfy regulatory reporting requirements.

What you receive at the end

The final report is structured for two different readers: management who need to understand business risk, and engineers who need to perform technical remediation.

Deliverables include an executive summary in Bahasa Indonesia and English, technical findings organized by zone and system, an IEC 62443 gap heatmap showing each zone's position against the target security level, and a remediation roadmap prioritized by operational impact and implementation difficulty.